Wherever personal details are captured as part of the Service these will only be accessible to those who need to use them. They will only be used in other contexts if the data subjects explicitly opt in. We do not share personal details further without permission.

‍

External Audit

imin is an IASME Gold Certified Company through continuous self-assessment and independent annual audit. The most recent annual audit was completed on 19 November 2017.

‍

Data Centre Locations

Where possible all core platform infrastructure and peripheral cloud services reside within the European Economic Area (EEA). Where services reside outside of the EEA, they are certified under the EU-US Privacy Shield. This ensures that "appropriate safeguards" are in place for GDPR compliance (see Art 46 of the GDPR).

‍

E-mail and Productivity Tools

imin’s core e-mail, productivity and collaboration tools are provided by G Suite, which is run within Google’s global infrastructure (https://gsuite.google.co.uk/intl/en_uk/security/). When sharing a e-mail and documents with imin using this medium, data may be transmitted outside of the EEA. Google provides capabilities and contractual commitments for their customers designed specifically to help address EU data protection requirements and the guidance provided by the Article 29 Working Party. G Suite offers EU Model Contract Clauses and a Data Processing Amendment, which imin have accepted on 17 October 2017. Additionally, G Suite has been assessed as appropriate for use with the UK government's Cloud Security Principles "OFFICIAL (including OFFICIAL- SENSITIVE)". Google also complies with ISO 27001, SOC 2 and SOC 3.

imin do not store credit card information directly, and instead use a tokenisation mechanism via secure SSL connection to defer this storage to Stripe, which assures PCI DSS compliance using the “Pre-filled SAQ A” method (https://stripe.com/docs/security).

‍

Organisational Measures

All of the following organisational measures are included in imin’s Information Security Policy, which each member of staff strictly adheres to.

All data and services are classified according to documented data classification criteria, and access to personal and confidential data is only provided for the period which it is required.

Access to cloud-based infrastructure is restricted to a specifically configured, heavily controlled and restricted browser profile.

Browser extension and cloud service whitelists are regularly reviewed.

Information assets are logged and controlled.

Risks are logged against key assets and regularly reviewed.

All users do not use accounts with administrator-level access for business as usual.

Data is not stored on devices longer than is necessary.

We use platform-as-a-service infrastructure for all internet-facing product components, which outsources the reliability and security of the underlying infrastructure to compliant global leaders in these fields.

Use of USB sticks are not permitted except under exceptional circumstances.

We have mechanisms in place which make it easy for any data subject to remove consent for data processing, ensuring that it is as easy to remove consent as it was for them to give it.

‍

Technical Measures

All of the following technical measures are centrally controlled, enforced, managed and monitored.

Full disk encryption is enforced on all devices, and data on core cloud-infrastructure is encrypted at rest.

All accounts are protected via two-factor authentication with strong passwords, either directly for high classification data and services, or indirectly through the use of a centrally managed password manager.

A mobile device management solution is used across laptops and mobile devices, which enforces device encryption and password strength, and allows devices to be remotely wiped if lost or stolen.

Application whitelisting is enforced on all mobile devices, ensuring only approved apps access have company data, and those apps are isolated from the rest of the device. Devices can be remotely wiped if lost or stolen.

A centrally managed and monitored vulnerability scanner runs on all laptops ensuring that the operating system and all applications installed on each machine are kept up-to-date with security patches, and using versions that are fully licensed and vendor-supported.

Anti-virus software is installed on all laptops, and is centrally managed and monitored.

An external service regularly scans the product codebase for third-party components with known vulnerabilities using sources which include the NIST NVD (https://nvd.nist.gov/) database.

An external service runs continuous penetration testing and monitoring across all products, which includes scanning for the Open Web Application Security Project (OWASP) list of the ten most common vulnerabilities.

All product services use HTTPS.

The office network is secure and firewalled, and all laptops have their firewalls enabled.

‍

CONTACT

Questions, comments and requests regarding our security are welcomed and should be sent to our trading address at IMIN LTD, 14-22, Elder Street, London, E1 6BT, or emailed to hello@imin.co.